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Abstract 

We present a novel approach, which is based on multiple-valued 
logic (MVL), to the verihcation and analysis of digital hardware de¬ 
signs, which extends the common ternary or quaternary approaches for 
simulations. The simulations which are performed in the more infor¬ 
mative MVL setting reveal details which are either invisible or harder 
to detect through binary or ternary simulations. In equivalence verifi¬ 
cation, detecting different behavior under MVL simulations may lead 
to the discovery of a genuine binary nonequivalence or to a qualitative 
gap between two designs. The value of a variable in a simulation may 
hold information about its degree of truth and its “place of birth” and 
“date of birth”. Applications include equivalence verification, initial¬ 
ization, assertions generation and verification, partial control on the 
flow of data by prioritizing and block-oriented simulations. Much of 
the paper is devoted to theoretical aspects behind the MVL approach, 
including the reason for choosing a specific algebra for computations, 
and the introduction of the verification complexity of a Boolean ex¬ 
pression. Two basic algorithms are presented. 


1 Introduction 


The verification and analysis of digital hardware (HW) circuits 16 has long 
become a major challenge during the design process. While formal verihca¬ 
tion methods such as model checking of properties and formal equivalence 
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13 are complete, they can only be applied to designs of limited 
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size. The traditional and older method of verihcation throngh simnlations 
is incomplete, however it can be applied to larger designs. Hybrid verihca¬ 
tion methods, which combine concrete or symbolic simnlations with formal 
methods, are also common [^. 

In simulations based on ternary logic (see e.g. [^) the domain of values 
of each signal is extended to include a “don’t care” (sometimes “unknown”) 
value X. It is also common to perform simulation based on quaternary logic, 
which include a fourth “high-impedance” Z value. Such logics are also used 
for abstracting symbolic simulations (M], (3^, [^, in the model checking 

in the initialization 


technique Symbolic Trajectory Evaluation (STE) 
phase and in equivalence verihcation 
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The extension to Multiple-Valued-Logic (MVL) beyond 3 or 4 values nor¬ 
mally refers to representing a collection of bits as a word or a collection of 
memory elements as a register when performing simulations with hardware 
description languages (see e.g. [^). In addition, some memory devices, 
arithmetic blocks and FPGAs operate with inputs and outputs which are not 
binary but multiple-valued. In general, combinational designs which repre¬ 
sent Boolean functions of several variables / : {0,1}"' h-)■ {0,1} are naturally 
studied for their algebraic or analytic properties as operating on multi-valued 
domains of words of length n (see, e.g. (^). 

The approach presented here is not to use MVL for treating a collection 
of binary elements as basic units but rather for performing MVL operations 
on the binary gate-level elements, extending the ternary-based simulations 
methodology. The extension is done by adopting the semantics of the stan¬ 
dard fuzzy operators (Zadeh operators): the AND, OR and NOT gates are 
transformed into the minimum, maximum and negation operators, and the 
binary domain to Z, an extension of the set of integers with ±oo (where 0 is 
mostly ignored). 

This extension is simultaneously of a rehnement and of an abstraction 
nature. The rehnement comes from the wider domain of values, which can 
distinguish between designs that are binary equivalent. In some cases such a 
distinction refers to differences in the qualities of the designs. In other cases 
it can hint to the existence of a binary nonequivalence, which may be difficult 
to detect. Since nonequivalence in the MVL setting is easier to hnd, we can 
search in the near environment of an MVL nonequivalence for a “genuine”, 
i.e. binary, nonequivalence. We present an algorithm which is based on these 
ideas. 
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The abstraction side of performing simulations over MVL is due to being 
able to treat some of the values as both “care” and “don’t care”, such that 
the simulation results can be projected both to binary and to ternary logic. 
Unlike simulations done in ternary logic, in the more informative MVL the 
boundary between the “care” and “don’t care” values need not be determined 
in advance but rather is dynamic and set upon each simulation according to 
the output value. This property (as stated in Theorem 3.4) is a key factor 
in applying MVL for the verihcation of binary designs. We would like to 
emphasize that this kind of fuzziness is not a matter of interpretation. Once 
the outcome of a simulation is obtained, the vagueness disappears and the 
boundary between the “care” and the “don’t care” values is clear. 

Another special characteristic of MVL simulations is that we can incor¬ 
porate more information into the domain of values, e.g. temporal and space 
information. Thus, whereas in binary logic we can observe the change in val¬ 
ues of a specihc variable along time, in MVL simulations of sequential designs 
we can observe also the change in space of a specihc value along time. 

The picture is the following. Suppose that the inputs to a combinational 
design are assigned values which are of distinct absolute values. Then these 
absolute values are spread along the design in the form of a spanning forest. 
In particular, there is a path leading from each primary output to an input 
variable. In sequential designs, the input values may be augmented with 
“date of birth”, such that at each state of a simulation sequence the values 
of the signals represent, in addition to truth degree, the time when these 
values were hrst introduced (and we can also know at which input signal). 

Applications include equivalence verihcation, initialization, assertions gen¬ 
eration and verihcation, partial control on the how of data by prioritizing and 
blocks-oriented simulations. Basic algorithms and general directions towards 
achieving these goals are presented. 

A large part of the paper is devoted to the theory behind the MVL ap¬ 
proach that we present. In Sectionwe analyze the type of MVL that meets 
our needs and its appropriate semantics M. We also discuss the problematics 
of ternary logic which is commonly used in HW simulations. In Section we 
prove the fundamental theorem about the information gained from evaluat¬ 
ing Boolean expressions over M, on which our approach for simulations relies. 
These results have strong connection to the Disjunctive Normal Form (DNF) 
of the Boolean expressions, when the reductions towards DNF are done ac¬ 
cording to the laws of De Morgan algebras, as demonstrated in Section 
The DNF plays a role in the dehnition of the verihcation complexity that 
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we introdcuce in Section This kind of complexity refers to the difficulty 
of functional validation of a Boolean expression, and differs from the usual 
complexity which relies on the size of the Boolean expression. 

Section deals with performing simulations over M in the verification of 
combinational circuits. A basic algorithm for computing maximal abstract 
valuations is given, and this algorithm can serve within more complex algo¬ 
rithms for different verification tasks. An example for such an algorithm is 
one which is devoted to equivalence verification, as described above (searching 
for binary nonequivalence in the near environment of an M-nonequivalence). 
In Section we discuss briefly the potential of M-based simulations in the 
verification of sequential circuits, including the importance of including tem¬ 
poral data in the simulation. 


2 A Suitable MVL and its Semantics M 


Most modern digital computers are based on binary Boolean algebra, denoted 
here B 2 . It has two values: T (True, 1) and F (False, 0), and operators 
like -I (NOT, negation, complement), A (AND, conjunction, meet), V (OR, 
disjunction, join). Other operators may be defined through these operators, 
e.g. implication —)■ -0 is defined to be V xjj. 

Our goal is to transform circuit designs which are based on B 2 to designs 
which are based on MVL, such that simulations performed on the trans¬ 
formed designs will be more informative than the ones performed on the 
original designs. The significant point here is that the information gained 
through the MVL simulations should be applicable to the original binary 
designs, since, after all, these are the ones that need to be verified. 

First, let us look at the most common extensions, i.e. to ternary logics. 
There are several possible such extensions, and we refer here to 3 known 
ones: Kleene’s “strong” logic K 3 [^, Lukasiewicz’ L 3 
B 3 i (also known as Kleene’s “weak” logic) 
all contain a third value, denoted here by X. The three logics interpret X 
differently. 
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and Bochvar’s 
In addition to T and F, they 


• In K 3 the meaning of X is some “vague” value between T and F, which 
is neither T nor F. Hence, we have X —)■ X = -iX V X = X. 

• In L 3 the value X represents “uncertainty”: it can be either T or F. 
Hence, X —)■ X = T since p ^ p is a tautology in binary logic. Note, 
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however, that the two binary equivalent formulas (f ^ ip and V ip 
are not equivalent in L 3 : the law of excluded middle does not hold and 
V X = X. 

• In the logic B 3 X is interpreted as “meaningless” (or “undehned” in our 
modern Computer Science terminology). Hence, any expression that 
contains at least one X value is evaluated to X. 

A signal in a circuit is supposed to represent some binary value, either T 
or F. When performing simulations or formal verihcation over ternary logic, 
there are two main reasons for assigning the value X to a variable v. 

• One is for representing “uncertainty”, i.e. when the binary value of v 
is unknown or not supposed to be determined. 

• The other is for expressing “don’t care”, e.g. when the output of an 
element does not depend on the binary value of n, or when we want to 
abstract away from the concrete setting. 

Our intention is to extract more information about the binary design 
when performing MVL simulations, but in a way that conforms with the 
original (binary) behavior of the system. Thus, B 3 is not suited for this 
purpose because it blocks any extra information that may be learned about 
the design beyond the fact that there exists some variable with an X value 
in case the output is X. In K 3 both n —)■ n and -^v y v equal X when v is 
assigned the value X, although the value of the output signal is always T 
in the circuit itself. Consequently, K 3 may be less informative (or of higher 
entropy) than B 2 . Nevertheless, the logic K 3 is the one that prevails in HW 
verihcation. The same problem with -luVn exists in L3, and in addition, the 
fact that if ^ Ip and -<(p V ip are not equivalent in L 3 is another inconsistency 
with B 2 . 

In order to overcome the limitations of the ternary extensions shown 
above, we will apply MVL in a (maybe surprising) way that will keep the 
boundary between the “don‘t care” and “care” values hexible and dynamic. 
It will always be possible to map the simulations done in MVL to B 2 in a 
hxed manner and without any vagueness. On the other hand, each simulation 
will tell us which values are for sure “don’t care” for this specihc simulation. 
The expressions ip ^ ip and -<ip V ip will be equivalent in the new setting. 
Moreover, they will always be evaluated to T when mapped to B 2 . When 
mapped to ternary values with ip and ip mapped to X then ip ^ ip and -<ipyip 
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will also be mapped to X, as in K 3 (and clearly, if tp is mapped to F or to 
T then (f ^ ip and -i<p V ip will be mapped to T). 

Now we come to general multiple-valued logics. These are logics with 
more than 2 values, including inhnitely-many values [^, (^. Such systems 
were introduced by Lukasiewicz, Godel, Post and many others. Chang |^, 
introduced MV-algebras, which generalize Boolean algebras, in order to study 
Lukasiewicz’ logics. Zadeh introduced fuzzy sets and fuzzy logic [^, |^ , 
111.0 , where the domain of values is inhnite: the closed unit interval. 

Since we want the MVL simulations to conform with both B 2 and K 3 , the 
algebraic laws of these logics should hold in the chosen MVL. In addition, 
we need to choose a suitable semantics M for realizing the MVL. So, hrst 
we need two designated elements denoted by T and T, corresponding to T 
and F, and three operators A, V and - 1 . Then, there should be at least one 
homomorphism p : M —)■ B 2 and at least one homomorphism p : M —)■ K 3 , 
such that p(T) = T and p(T) = F, (Recall that a homomorphism is a map 
that respects the operations: p(a Ab) = p{a) A p(&), p(a V 6 ) = p(a) V p( 6 ) 
and p{-'a) = -ip(a).) 

A natural demand is that the following set of laws of De Morgan algebras 
should hold in M: 

1. Commutativity: a A b = b A a and aV b = by a; 

2. Associativity: a A {b A c) = {a A b) A c and a V {b y c) = {a V b) y c; 

3. Idempotence: a Aa = a and a V a = a; 

4. Absorption: a A (a V 6 ) = a and a V (a A 6 ) = a; 

5. Distributivity: aA( 6 Vc) = (aA 6 )V(aAc) andaV( 6 Ac) = (aV 6 )A(aVc); 

6 . Identity: a A T = a and a V T = a; 

7. Consumption: a A T = T and a V T = T; 

8 . Duality: -iT = T and -iT = T; 

9. Double Negation: -i-ia = a; 

10. De Morgan: -i(a A 6 ) = -la V -16 and -i(a V 6 ) = -la A -> 6 ; 
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Note that for a minimal set, the first law at each line suffices. Also, Absorp¬ 
tion may be dehned through Identity, Distributivity and Consumption. 

The question is how to treat the complementation law: a V -la = T and 
a A -la = T of Boolean algebras. It should clearly hold for a = T and for 
s = T. However, we do not want it to hold for all other values of M (as 
in MV-algebras, which provide semantics to generalizations of L3), because 
then we will not gain any further information from working over MVL. So, 
we replace the complementation law with the weaker orthocomplementation 
law: a V -la = T should hold for T and T but not necessarily for all elements. 
It is easy to see that this requirement is satisfied in De Morgan algebras. 

With the above rules we can form a lattice. Better though is to have 
a complete ordered set, so that any two elements of M could be compared, 
with T and T being the minimal and the maximal elements respectively: 
a > T for every a 7^ T, and a < T for every a 7^ T. Given a lattice, one 
dehnes a < 6 if and only if a A 6 = a and a\/ b = b. Thus, in an ordered 
set the operator A is dehned to be the minimum and V is dehned to be the 
maximum. By De Morgan law, we have: a < b implies -ib < -la, which then 
implies: 

11 . For all a,b: a A -la < & V ->6 . 

A system which satishes the above 11 laws is called a Kleene algebra (we 
remark that there exist in the literature other dehnitions of Kleene algebras). 

One possible semantics that meets all the above requirements is that 
of fuzzy logic, with the set of values being the closed unit interval, with 1 
representing T and 0 representing T, and the operators minimum (for A), 
maximum (for V) and complement a h-)■ 1 — a (for -<a). Note that another 
common semantics for fuzzy logic, in which multiplication comes instead of 
the maximum operation for A, is rejected since when mapping to K3 it may 
happen that a and b will be mapped to T while a*b will be mapped to X - 
which is not a homomorphism. 

For convenience, instead of the unit interval of the continuum cardi¬ 
nality we choose for the domain of values of M the countable set Z = 
(Z\{ 0 })U{—cx), cx)}, with the operations A, V and -1 interpreted as minimum, 
maximum and negation respectively. The reason for working over Z instead 
of over [ 0 , 1 ], with 0 instead of 0.5 as the mid-point of symmetry, is that it 
enables using the notion of absolute value, which plays a crucial role in the 
theory that will be presented. In practice, we do not need the whole range 
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of values of the integers, and a finite symmetric set around 0 suffices. The 
fact that we omit the value 0 from the domain of values has to do with the 
above discussion of being able to treat values simultaneously as “care” and 
“don’t care”, and gaining more information from computations. However, in 
cases where these considerations do not matter, we may use also the value 0 
when taking into account complexity considerations since 0 behaves like the 
value X in ternary logic: it equals its own negation. 

In Table we demonstrate the behavior of the operators A, V and © 


e-Or, 

a 

i.e. a 
h 

:= ( 
-la 

3 A -16) 
-lb 

V (—la A b) 

a A b 

in M. 
a V b 

a © b 

-2 

-1 

2 

1 

-2 

-1 

-1 

-2 

1 

2 

-1 

-2 

1 

1 

-1 

2 

1 

-2 

-1 

2 

1 

1 

2 

-1 

-2 

1 

2 

-1 


Table 1 : M operators 

The homomorphism p : M —)■ B2 is clear: p{a) = F for a < 0 , p{a) = T 
for a > 0 . Then, for every n > 0 , n G Z, we dehne p„ : M —)■ K3 by: 


{ F for a < —n 

X for —n < a < n ( 1 ) 

T for a > n. 

3 Computation over M 

A valuation v of the variables Xi,... ,Xn in M (that is, in the domain Z) is 
a mapping = Oi, ..., = a„, a* G M. Given an expression (a 

propositional formula) (p{xi,... ,Xn) and a valuation v as above, we denote 
by |(p]„ the evaluation |(p]^ = (p(ai,..., On) G M when looking at p as a 
function p : M” 1—)■ M. The expression ip can be represented as a Directed 
Acyclic Graph (DAG) G = G^, and we denote the computation graph of |<p]^ 
by G(ai,..., a„). The leaves of G(ai,..., a„) are labeled with oi,..., a„, its 
root - with the value (p{ai,... ,an), and each internal node representing a 
sub-expression -0 - with the value 

Proposition 3 . 1 . Let (p{xi ,..., Xn) be an expression and let = oi,..., 
= On be a valuation in M. Let G{ai,... ,an) be the corresponding 
computation graph. Then, for some i, 1 < i < n, |(p(ai,..., a„)| = {af, and 














there exists a path (at least one) from the root of G to a leaf of it, such that 
the label of each node along this path is of absolute value \ai\. 

Proof. By induction on the composition depth of ip and by the fact that the 
operations of negation, maximum and minimum preserve the absolute value 
of one of the operands. □ 

To illustrate the result of Proposition | 3 . 1 [ suppose that the absolute values 
|ai|,..., |a„| are pairwise distinct, and we label all the nodes of the graph 
G = G^ by their values, and the edges - by the label of their initial nodes. 
Then we color the vertices of G with n different colors, such that nodes whose 
labels are of the same absolute value get the same color. Next, for each non¬ 
leaf node v = Ml V M2 or n = Ml A M2 (mi, M2 are the “input” nodes of m), the 
value of V equals the value of some input node Mj, i = 1 or i = 2 , (if v equals 
both inputs then we choose one of them). Then we color the edge from this 
input node m* to v in the same color of m*, and leave the other in-going edge 
to V uncolored. If m = -im then we color the edge from m to m in the color 
of M. The result is that each subgraph G,, i = 1 ,... ,?t,, consisting of the 
vertices and edges of the same color, is in the form of a tree, whose root is a 
primary input (a leaf of G). The union of the disjoint subgraphs Gi forms a 
spanning forest of G. 

When the leaves of G are not of distinct absolute values then still the 
result is a spanning forest (now we do not have necessarily a specihc root for 
each tree). A generalization of this picture of a spanning forest to the case 
where the operators V and A have more than 2 arguments is straightforward. 

Example 3.1. In Fig. [I] we can see the combined graph corresponding to 
the computation of two expressions over M. The operators V, A and 
interpreted as maximum, minimum and negation in M, are represented by the 
common gate symbols for the same operators. The result is a computation 
of a simple combinational circuit design with two outputs. The additional 
XOR symbol represents a © 6 := (a A -16) V (-^a A b). The valuation of the 
arguments is of distinct absolute values, and the solid-line colored subgraph 
forms a spanning forest. 

The next theorem shows how more informative are computations done 
in M compared to those in the binary setting. It is not only that the range 
of values is larger. The qualitative gap is expressed by the fact that the 
by the result we know for sure about specihc arguments that are “don’t 
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Figure 1 : Spanning forest of a computation over M 
care” when mapped to B2 - they have no influence on the result of that 
specihc computation (there may, however, be more “don’t care” arguments). 

Since the above applies to each sub-expression of the computation, then by 
examining internal nodes of the computation graph over M we can extract 
further information about the computation. 

Theorem 3.2. Let |</9(ai,..., a„)| = |ai| over M and suppose, without loss of 
generality, that |ai| < ■■■ < |aj_i| < |aj| < ■■■ < |a„|. Then, when evaluated 
in B2, the value of ip{bi,... ,bn), hi,...,hn € {T,F}, does not depend on 
61,..., 6j_i as long as for each j, j > i, bj = p{aj). 

Proof. If i = 1 then the claim holds trivially, so let i > 1 . Suppose that 
(p{ai ,..., On) = tti (the case where the result is —a* is similar). Let p : M —)■ 

K3 be the homomorphism p = p|a.|, hence p(±ai) = •■■ = p(±ai_i) = X. 

Therefore, over K3, ip(X ,... ,X,p(aj),... ,p(a„)) = (p(p(ai),... ,p(aj_i),p(ai),... ,p{an)) 
= p{ip{ai ,..., On)) = p{a.i) 7^ X. As is known, when an expression over K3 is 
evaluated to T or to F then the result is invariant to any binary value given 
to variables of X values. □ 


In fact, the above theorem follows by Theorem 3.4 below. 


Lemma 3 . 3 . Let a,b E M. If |a| > |6| then a > b ^ a > —b and similarly 
a <b ^ a < —b. 


Theorem 3 . 4 . Let |(p(ai,... ,a„)| = |aj| = b over M and suppose, without 
loss of generality, that |ai| < ■■■ < |ai_i| < \ai\ = ■■■ = |ai+r| < |a*+r+i| < 

■ ■ ■ < |a„|. Then <p(ai,..., a„) is invariant to any change in oi,..., Oj-i 
(including change of sign) as long as the new values are of absolute value 
less than b. Neither does any change in value to Oj+r+i,..., a„ ajfect the 
result <p(ai,..., a„), as long as the new values are of absolute value greater 
than b and there is no change in sign. 
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Proof. We partition the nodes of the computation graph G(ai,..., a„) into 3 
groups: (i) those representing operators with operands of absolute value less 
than b] (ii) those with operands of absolute value greater than or equal to b] 
(hi) the nodes representing operators with one operand of absolute value less 
than b and another operand of absolute value greater than or equal to b. 

Assume an arbitrary change to the arguments Oj, j < i, as in the theorem. 
Then a node of the hrst type may change its value, but will remain of absolute 
value less than b. A node of the second type will keep its original value. 
Finally, by Lemma 3 ^, a node of the third type, representing the maximum 
or minimum operation, will keep its value if it were of absolute value greater 
than or equal to b, and will stay of absolute value less than b (but perhaps 
of a different value) if so it were before the change. 

Indeed, this is certainly the case for the nodes of level 1 (from bottom), 
and, by induction on the height of G, the same holds for every node of G. 
Since the node representing the result of the computation is labeled with 
absolute value b, it will remain unchanged. 

As for the change of the second type, it is easy to see, again by induction, 
that it can only affect the nodes of absolute value greater than b (but not 
the signs), thus being irrelevant to the outcome of the computation. □ 


4 Disjunctive Normal Form over M 

In Boolean algebra every binary expression ip over a set of variables and 
connectives A, V and can be reduced to an equivalent expression in DNF 
- a disjunction of conjunctive terms (also called sum-of-products). Each 
(conjunctive) term is a conjunction of literals, where a literal is a variable 
or its negation. A term is also called an implicant (or cube) since if 7 is 
an implicant of p then for every valuation v, lyj^, = T implies = T. 
An implicant 7 is called a prime implicant if no subterm of 7 implies p. 
The disjunction of all the prime implicants of p is called Blake Canonical 
Form (BCF), denoted B{p). We remark that not all prime implicants are 
necessarily essential, that is, there may be prime implicants which are covered 
by other prime implicants, hence B{p) is not necessarily minimal in number 
of terms among the DNF that are equivalent to p. Another canonical DNF is 
the Full Disjunctive Normal Form (FDNF), denoted J^{p), which consists of 
all the minterm implicants, that is, each implicant contains all the variables 
of p (each variable in a complemented or uncomplemented form). 
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Let us now explore the DNF notion in De Morgan algebras. Given an 
expression cp then by the ten rules of De Morgan algebra (see Section it 
can be reduced to an equivalent expression ip' in DNF. The reduction to DNF 
is, however, more restrictive compared ot the binary case. By De Morgan 
rules, subterms of the form x A -<x or x V -<x cannot be reduced. In fact, 
the only ways by which a conjunctive term can be reduced in size is by using 
the idempotence and absorption rules, where the former makes sure that 
no literal appears twice in a term, and the latter assures that no term is a 
subterm of another. This leads us to the following dehnition. 

Definition 4 . 1 . De Morgan Canonical Form (DMCF) of an expression ip, 
denoted Ai(ip), is the unique (up to reordering), expression which is formed 
from ip by De Morgan reductions and which satisfies: 

• ip is in DNF; 

• No term of ip contains the same literal twice; 

• No term of ip is a subterm of another term (in particular, no term 
appears more than once). 

The reduction to M(ip) is done in a standard way by hrst driving all 
negation operators inwards into the literals, then reducing to DNF by the 
distributive and idemopence rules, and hnally deleting terms which contain 
other terms through the absorption rule (commutativity and associativity 
are used throughout). 

Unlike B{ip), the implicant terms in jNt(ip) are not necessarily prime im- 
plicants. Another difference is that the terms in N 4 (ip) may be contradic¬ 
tory: containing subterms of the form xx. Thus, M(ip) can be expressed 
as M(ip) = M(ip)imp V M(ip)cont, where M(ip)imp denotes the disjunction 
of the implicant terms of ip, and N 4 {ip)cont denotes the disjunction of the 
contradictory terms of M(ip). 

Let us look at the following examples. For better readability, in examples 
we will make use of the following notation: xy, x + y and x instead oi x f\y, 
x\/y and -ix respectively. The notation x for literals will be used also outside 
of examples. 

Example 4.1. = (x-1-yjx?/ {x + y){x + y) x{x + y) + y{x + y) 

xx+xy+xy + yy x + yy = M.{ip), which contains the contradictory 

term yy. Of course, over B2 we would have further reduced it to B{ip) = x. 
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Example 4.2. (p = xy + y = with xy not being a prime implieant. 

Here, B{ip) = x + y. 

We write cp tjj when ip and tjj are B2-equivalent, i.e. for 

every binary valuation v. We write (p tjj for M-equivalence, i.e|(/9]^ = 
for every valuation v over M. Clearly, (p tjj implies (p ^ ifj, but not 
the other way round. Note that for every valuation v in M, = 1^1(9?)]^,. 

In special cases, again, unlike the case over B2, two different expressions 
in DMCF may represent equivalent functions over M. For example, the 
expression xx{y + y) + z xxy + xxy + 2: is equivalent to the expression 
XX + z. Similarly, the two M-equivalent expressions x + x + yy and x + x are 
both in DMCF. 

The following analysis is done over M, but, in fact, for that matter, 
ternary logic suffices. Note that over M, since disjunction is interpreted 
as the maximum operator, then an implieant 'j of <p satishes the following: 
0 < |7]„ implies 0 < |7]„ < Iv?],;, for every valuation v. 

Lemma 4.1. Let ip and tjj he two expressions, and suppose there is an im¬ 
plieant term 7 G M((p)imp with no subterm of it in M.{pp)imp- Then there 
exists a valuation v in M sueh that 0 < 

Proof. Let v be the valuation: = 2 for each literal x* appearing in 

7, = —2 for each literal Xj in 7, and = 1 for each variable Xk 

not appearing in 7. Then |99]„ = 17]^, = 2 . On the other hand, since no 
term of M.{' 4 ))imp is a subterm of 7, each term in AHpp), which is positively 
evaluated by v, contains at least one variable which is not in 7, hence |'^]^ = 

{Mm, < 1 . □ 

The preceding lemma referred to positive evaluations of expressions. The 
next one refers to negative evaluations. 

Lemma 4.2. If ip fj then \M.{p>)im,piv = \M.ilP)impiv for eaeh valuation v 
in M for which < 0 (equivalently, < Oj. 

Proof. For each implieant 5 G M((p)imp there is a prime implieant 7 of jlS((p) 
(BCF of (p) which is a subterm of S. Hence, | 5 ]t, < |7]t, for each M-valuation 
V, and consequently < lB{,‘p)lv 

Similarly, for each implieant 5 in IF{(p) (FDNF of ip) there is an implieant 
7 G M(ip)imp which is a subterm of 6 , hence |.F(99)]t, < \M.{ip)impiv for each 
M-valuation v. 
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To finish the proof we need to show that when |(p]^ < 0 then the above 
ineqnalities are eqnalities (note that B{ip) = and = J^('0)). Let 

7 be a term in B{ip) snch that IqJ^, < 0. For each variable Xk that does 
not appear in 7 , let Ik = Xk if > 0, and Ik = Xk if < 0. By the 

dehnition of there exists a term 6 in snch that 7 is a snbterm of 

6 and the other literals of S are the above Ik- Clearly, since < 0 and for 
each of the literals Ik, > 0, then = |5]^. It follows by the maximnm 
operation in DNF that |i3((p)]^ < |vF(75)]„, and by the previous inequality 
in the opposite direction it is an equality. □ 


Theorem 4.3. Let (p he an expression satisfying M.{<p) = B{(p). Then for 
any expression satisfying (p ~ -0 and for any valuation v in M, ||(p]^| > 

IW^I- 


Proof. Let M.{p) and be DMCF of p and i/j respectively. If > 0 

then since for every implicant 6 G Ai{'ip)imp there exists 7 G JLt{p) which is 
a subterm of 6 then |<y9]„ > |'0]^ as in the proof of Lemma 4.1 


If, on the other hand, |(p]^ < 0 then by Lemma 4.2, |Al((p)]^ = 

Since M-fif) may also contain a contradictory part, A4{'i/j)cont, the inequality 
follows. □ 


Example 4.3. Let M.{p) = x + y = B{p) and let M^fj) = xy + y be two B2- 
eguivalent expressions with different DMCF. Then, for the valuation |x]^ = 
2; ll/];; = —1; we obtain |A^((p)]^ = 2 whereas = 1. However, when 

|A^((p)]^ < 0 then |Al((p)]„ = |A1(V^)]^. For example, when |a:]^ = —2, 
= -1 then |>l((p)]^ = = -1. 


5 Verification Complexity over M 

Suppose we want to know the functionality of a Boolean expression by eval¬ 
uating it on different test vectors over M. The question is how many test 
vectors are needed in order to transmit to a veriher a complete knowledge of 
the functionality of the expression, that is, what is the number of test vectors 
needed for complete functional verihcation. This question is related to min¬ 
imal number of terms in Disjunctive Normal Forms of the expression. For 
that purpose, we dehne three notions of complexity of Boolean expressions: 
functional complexity, structural complexity and verification complexity (not 
to be confused with complexity dehned as the minimal number of operators, 
or gates in a circuit representation of the expression, as e.g. in [M]). 
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As before, a Boolean expression is composed of variables and the con¬ 
junction, disjunction and negation operators, without constants (even for a 
tautology or a contradiction). In order to gain complete knowledge on the 
functionality of a Boolean expression ip we need to hnd all the binary vectors 
V for which = T and all the binary vectors u for which = T 

(equivalently, = F). Note that for representing the function only one 
of the above is needed. Note also that there is a one-to-one correspondence 
between the DNFs of -^(p and the CNFs (Conjunctive Normal Forms) of (p, 
so that the number of conjunctive terms in a DNF of -^(p equals the number 
of disjunctive terms in the corresponding CNF of (p. 

When testing an expression on binary vectors we need to try all the pos¬ 
sible input vectors for complete functional verihcation. Over M the number 
of test vectors that are needed may be much smaller as a consequence of the 
existence of “don’t care” variables. As we saw in the preceding section, there 
is an inverse relationship between the lengths of the terms in the canonical 
DNF of an expression and the absolute values of the outcome of the M- 
evaluations of the expression. Indeed, the shorter the term, the larger is the 
number of “don’t care” variables (for that term). 

Let us introduce the following notation. Let be a reduction of 

B{ip) to a minimal number of prime implicants, which cover all the implicants 
of B{ip). Let Mmin(^) be a reduction of Ai(ip) to a minimal number of terms 
of M((p)imp, which cover all the implicants of M((p)imp (with Mmin(^)cont = 
M((p)cont)- We denote by for tjj in DNF, the number of (conjunctive) 
terms it contains. 

Definition 5.1. The functional complexity of a Boolean expression ip is 

■= min (ip) + 4fBmin{-^T) 


Definition 5.2. The structural complexity of a Boolean expression ip is 


We may say that the functional complexity puts more weight on the se¬ 
mantics of the expression than the structural complexity, while the syntactic 
part is more emphasized in the structural complexity. 
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Definition 5.3. The verification complexity £„(</?) of a Boolean expression 
<p is the number of M-valued test vectors needed for complete verification of 
the binary functionality of (p. 

Certainly, £/(</?) < for the verification complexity, we have the 

following. 

Proposition 5.1. — 

Proof. Let (p he a Boolean expression with n variables. It is sufficient to 
consider the ternary logic K 3 as the MVL over which we form the test vectors. 
For each term 7 of Ai{<p)imp of length k, we form the ternary test vector 
V = v{'y) such that lyj^, = T, and such that all the n — k variables that do 
not appear in 7 are assigned the value X in v. This ternary test vector v 
covers 2"“^ binary test vectors which satisfy ip. Thus, by considering all the 
implicants 7 G we can find all the binary vectors that satisfy (p. 

Similarly, we form the ternary test vectors u = u{S) for each S G M(~'(p)imp, 
such that = T, thus finding all the binary vectors that do not satisfy 

(p. □ 

We do not know of an example in which £ 1 ,( 93 ) < £s( 9 ^)- Hence, it might 
very well be that the two notions are identical (that is why we chose the 
general term “verification complexity” without referring to M). 

The information gained from an M-valuation is greater than that of a 
ternary one. Suppose that the variables in 93 are Xi,... ,Xn and that a ternary 
test vector v assigns the value X to Xi,..., Xk, while the other variables are 
assigned binary values. Suppose also that | 93 ]i, = T. Then we know that 
there exists an implicant term 7 G M.{p>)imp of length at most n — k, whose 
variables are among Xk+i, ■ ■ ■, Xn, and whose literals agree with the valuation 
of Xk+i ,... ,Xn. Over M, a possible valuation w is to assign the variables 
Xi,... ,Xn values Oi,..., a„ with increasing absolute values, with some chosen 
signs to ai,... ,ak and the signs of a^+i ,... ,an agree with their values in v. 
We know that | 93 ]ii, = \aj\, j > k + 1. li j > k + 1 then we know that the 
following property P{j) holds: 

• P{j)'. There exists an implicant whose set of variables contains xj, and 
possibly other variables among Xj+i,... ,a;„, and whose literals agree 
with the valuation v. 
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Since the upper bound on the length of the implicant is smaller than in the 
ternary case, then over M we know for sure on more binary vectors which 
satisfy ip (since the variables Xk+i, ■ ■ ■ ,Xj-i are “don’t care”). We also know 
that the following property N{j + 1 ) holds: 

• N{j + 1 ): there is no implicant term of p which contains Xj+i,..., 
and with literals that agree with the valuations v. 


This is implied by the nice property of having a dynamic boundary between 
the “care” values and the “don’t care” values when performing valuations 
over M. 

Similar analysis with respect to applies to the case where |(p]^ = F. 
When |(y9]^ = X for a ternary vector v as above then we know that property 
iVfc+i holds. Over M, a corresponding valuation w will give = \aj\, 

j < /c, assuming the result is positive (for a negative result we refer to -'p). 
Then we know that N{j + 1 ) holds, So, if j < k then the set of terms that 
we know that they are not implicants is larger than in the ternary case. In 
addition, we know that P{j) holds - with no analogous information gained 
in the ternary case. 

Overall, we see that M-tests are more informative than Ka-tests, but, 
nevertheless, we do not know if it suffices to reduce the number of tests 
needed for complete functional verihcation in general (and if yes, whether 
such a reduction is signihcant). We also do not know if we can make use of 
property A^(-) to show that in special cases i^ay hold. In case 

property N{-) does not help in reducing Cy{p) then we have: £/(</?) < ^v{,p)- 

Suppose that we know that \p{ai ,..., a„)| = a*. Then, by Theorem 3 . 4 | 
the information gained from this computation is equivalent to the one ob¬ 
tained by restricting ourselves to only 6 values: ±a, ±6, ±c, with 0 < a < 
b < c, and the following mapping: 
for 


ttj H-)■ a, for 0 < Oj < 


dj I —V 


\ 

C, 


< Qj < 0); Oj H-)■ 6 for aj = 


for Qj > I Oil (and aj h-)■ —c. 


Cli I 

for Qi 


(and Oj 


< 


I Oil (and aj h->■ —a, 
-b for aj = —|aj|); 
|aj|). In fact, if we use also 


^3 

I-)- 


the value 0 then we can be satished with only 5 values, with a = 0 , and this 
is the optimal number of values for maximal information gained from the 
computations in case the expression we test is known to us. 

Let us look at the following simple examples. The Boolean expressions are 
given as combinational circuits, where the V, A and -> gates are interpreted 
as the maximum, minimum and negation respectively over M. For better 
readability, we use as before the sum, product and complement notation 
instead of V, A and 
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Example 5.1. AND gate on n inputs: (^(xi,..., Xn) = X 1 X 2 • • • = Aimini^) 

Then Mmin(~'T) = xi + X 2 + ■ ■ ■ + Xn- Hence, £ 5 ( 9 ?) = n + 1, and this is 
also the value of and of The test vector that corresponds to 

X 1 X 2 ■ ■ ■ Xn zs (1,1, ..., 1), and for each term Xi, i = 1,... ,n, we form the 
test vector which assigns x* the value —2 and the other variables the value 1 
(it does not matter whether the value is 1 or —1 as it is “don’t care”). 

Example 5.2. Multiplexer (MUX) with n = 2^ data inputs do,..., dn-i and 
k selectors Sq, ..., Sfc-i- It represents the function 

ipl^do, . . . , dn—l,So, ■ ■ ■ 1 S/c— 1 ) Adnnini.T^ 

doSk-1 • ■ ■ Sl^o + diSk-l ■ ■ ■ SiSo + ■ ■ ■ + dn-lSk-l ■ ■ ■ SlSo- 

One can show that 


A4fnin(~‘T) 

do^k-l • • • SiSo + diSk-1 ■ ■ ■ SiSo + ■ ■ ■ + dn-lSk-1 ■ ■ • SiSq. 

Here, = 2n. We can form the following M-vectors: 

for each of the n = 2 ^ possibilities of assigning each selector variable Si the 
value 00 or the value — 00 , we assign the data input dj that is selected by the 
corresponding assignment of values to Sq, ... ,Sk-i first the value 2 and then 
the value —2, while all the other data inputs are assigned the value 1. In 
Fv-E a computation of a multiplexer with 4 data entries is shown. 

When n = 2, we get the “If-Then-Else” function: ip{do,di,s) = dos + 
dis = Mfnin(T)- Then, -^ip = [do + s){di + s) = dodi + dos + dis + ss and 
Aimini^T) = doS + diS, since dodi is redundant by the consensus rule, and 
ss is a contradictory term. 

Note that the selectors in Example |5.2| are assigned the truth values ±cx) 
so that the output value is not of the selectors but of the selected data. 

6 Verification of Combinational Circuits 

6.1 Comparing the Quality of Equivalent Designs 

Digital combinational circuits do not contain memory elements, hence they 
form Boolean expressions which represent Boolean functions. Equivalent 
Boolean functions may be expressed in many ways, and a major question 
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Figure 2: Multiplexer computation 

concerns the quality of the chosen design. There is no dehnite answer to this 
question and it depends on the needs. The synthesis phase of transforming a 
circuit design in the form of a Register Transfer Level (RTL) into a gate-level 
description is optimized with respect to constraints like size, timing, power 
consumption or ease of testability, and all these factors need to be considered 
when evaluating the quality of the design. 

When a Boolean function is simple enough and is designed as an expres¬ 
sion in DNF, as is the case of a Programmable Logic Array (PLA) and a 
Programmable Array Logic (PAL), then, most likely, we would prefer the 
minimal DNF: it is minimal in size and also its verification complexity (see 
Section]^ is the lowest. The number of terms in a DNF of a Boolean func¬ 
tion is, in general, exponential, and hnding the minimal DNF expression, an 
NP-hard problem, is then double exponential in computational complexity. 
Besides classical methods for minimizing the DNF, like the Quine-McCluskey 
algorithm 18,24 , which is good for small designs, other methods use heuris¬ 
tics for computing approximations to minimal representations, e.g. the well- 
known Espresso minimizer [^, which is also suitable for multiple outputs and 
multiple-level logics (and also makes use of multiple-valued logic 27 - not in 
the same meaning as here). 

But we are not going to delve here into the intricate issues of design 
and optimization of circuits. We would like to see how can we use M-based 
simulations in order to hnd differences between two designs (or blocks in 
designs) which represent equivalent Boolean functions. As we have seen, the 
differences in M-tests are due to differences in implicant lengths of M ((p) and 
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A4(-i(p) of Boolean expressions (p, which are revealed in differences in absolnte 
valnes in the M-simnlations. These differences may represent different levels 
of abstractions (as is normally the case in the design flow of a circnit), bnt 
may also be interpreted as representing different degrees of trnth, in the sense 
of fnzzy logic: a higher absolnte valne of a test resnlt means a higher trnth 
degree, or an event which is more common since it refers to a larger snbset of 
binary inpnt vectors that prodnce a similar compntation. A higher absolnte 
valne refers also to a higher “noise stability” (see [^): it is less affected by 
a random flipping of the valnes of the inpnts. 


x-i ■■■ Xn 

(a) 




(b) 


(c) 


Fignre 3: Qnality and eqnivalence checking 

Example 6.1. The circuit in Fig. is identical to the circuit in Fig. ^a), 
except for a disjunction of the output with the contradictory term x^xi. Thus, 
the two circuits are binary eguivalent and B 2 -simulations cannot tell them 
apart. Here is where M-simulations can be of help. Suppose we run random 
simulations over M and the input variables are assigned distinct absolute val¬ 
ues 1,... ,n with random signs at each run. Then, the term xiXi is assigned 
the value —k with probability 1/n. Hence, if there is a probability of pk for 
the output of the block A to be less than —k when xi is assigned the value ±k, 
then the probability of observing difference in the behavior of the two circuits 
(the output of the “better” design is of higher absolute value) in a random 
run is p = which may be high. 

Of course, when the same redundant term appears deeper in the design 
then it is more difficult to detect it, as it has less chance to express itself in 
the primary outputs. However, a more thorough inspection into the interior 
of the design may reveal exceptional behavior dew to this term. 

A similar analysis applies to a redundant conjunction with a tautology term 
of the form Xi+ Xi. 
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6.2 Simulations over M 


In order to run M-simulations on a circuit design, we need first transform it 
to the M-setting. Given a gate-level description of the design, the transfor¬ 
mation can be executed automatically. The Boolean domain of values of the 
signal variables is replaced by Z, with some chosen integer N, larger than all 
other absolute values assigned to the inputs, representing oo as the value of 
absolute truth. Then, all binary operators (representing gates) are expressed 
through V, A and and finally, these operators are defined as the maximum, 
minimum and negation respectively. 

When our intention is to perform functional validation or a satisfiability 
problem then we have seen that the number of M-tests may be signihcantly 
smaller than the number of test in the binary setting, also when we do not 
hope for complete verihcation but aim for a better coverage. 

When the design is treated as a black box then, in general, the idea is 
to assign the input variables different absolute values in order to maximize 
the benefit of performing simulations over M. Unlike the situation in the 
ternary logic setting, we do not need to decide in advance which inputs are 
assigned “don’t care” values. The boundary between the “don’t care” and 
“care” variables is dynamic and set upon after each simulation: the values 
that are less than the output (in absolute value) may be regarded as “don’t 
care”. This means that the result of a single M-test contains the information 
of both the result of the corresponding binary simulation and at the same 
time the result of several ternary simulations. 

The larger the part of the “don’t care” variables, the more informative is a 
simulation - it covers a larger set of binary input vectors. In order to increase 
the size of the “don’t care” variables, we may perform more simulations 
with circular shifts of the absolute values of some of the variables, without 
changing their signs. This procedure is the heart of Algorithm [T} 

Similar to the assignment of truth values ±oo to the selectors in Exam¬ 
ple |5.2[ it is recommended to assign ±oo values to other control variables 
like “clock”, “enable”, “reset”, etc, so that the value of the output will not 
be that of a control variable but of a data variable. 

In the case of Exclusive-Or (XOR) (or its generalization to n variables, the 
notorious Parity function) the output is always of the smaller absolute value 
among the inputs (see Table [^: |a © 6| = min(|a|, |6|). This makes it more 
difficult to verify circuits that contain lots of XOR gates (e.g. multipliers). 
Here, M can be used in order to check whether the output is larger (in 
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absolute value) than what is expected. 

When the design is complex then it may happen that an output variable 
relies on many inputs. Hence, the number of “don’t cares” may be small, 
making it less advantageous to perform simulations over M. In this case, if 
the design is not treated as a black box, we can hrst verify sub-blocks before 
verifying the whole design. But this kind of behavior is not necessarily the 
rule. In fact, in a design where the A, V and -> operators are distributed 
randomly then by the symmetry of these operators one can expect a uniform 
distribntion of the absolnte valnes in the design, including among the primary 
ontputs, when snch a nniform distribntion is forced upon the input values. 

6.3 An Algorithm for Obtaining a Maximal Abstract 
Valuation 

In what follows we use the same notation, namely 99 , for a combinational 
circnit, the corresponding Boolean expression, and the Boolean fnnction it 
represents, with arguments in B 2 , K 3 or M, and operators of polymorphic 
types. 

Definition 6.1. An abstraction of a vector v E Kf is a vector v' G Kf which 
is obtained from v by assigning X-values to zero or more of the binary entries 
ofv. The vector v' is a strict abstraction of v if v' is an abstraction of v and 
v' 7^ V. 

For example, (T, X, F, X, F) is a strict abstraction of (T, X, F, T, F). The 
abstraction relation indnces a partial order on Kg. 

Definition 6.2. Given a Boolean expression ip = ip{xi,... ,Xn), a vector 
veiq is a maximal abstract valuation with respect to ip if 7 ^ X, and 
for any strict abstraction v' of v, = X. 

There is a one-to-one correspondence between the maximal abstract val- 
nations v satisfying = T and the set of implicant terms of AA{ip), and, 
similarly, between the maximal abstract valnations v satisfying = F and 
the implicant terms of AA[-iip). 

Definition 6.3. A signed permutation of size n is a vector w which is a 
permutation of {1,... ,n} augmented with a sign for each number. 
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We refer to w also as a pair (t>, a) G { — 1,1}"' x S'„, and denote by w.v and 
w.a the binary vector and the permntation respectively that w is comprised 
of. For example, w = (3, —1, —2, 5, —4) is a signed permntation which is the 
(component-wise) prodnct of v = (1, —1, —1,1, —1) and a = (3,1,2, 5,4). 
Given a permntation a, we denote by a[i <H- j] the permntation obtained 
from a by composing it with the transposition that swaps the valnes i and 
j. For example, (3,1, 2, 5,4)[2 0 4] = (3,1,4,5, 2). 

Algorithm compntes an abstraction v' of a binary vector v (over the 
set { — 1 , 1 }), which is a maximal abstract valnation with respect to a com¬ 
binational design (p. As shown before, the compntation of these implicant 
terms of ip and -xp plays an important role in verification of Boolean ex¬ 
pressions. We wonld like to mention that these are not necessarily prime 
implicants, as they reflect both the strnctnral and the fnnctional properties 
of the expression ip and not only its fnnctionality as do the prime implicants. 

The inpnt vector in Algorithm is given as a signed permntation w = 
(n, a), and the binary vector v is the projection of w G M” to B^. As already 
mentioned, when there is no knowledge on ip, then it is recommended to nse 
different absolnte valnes for the inpnt vector, e.g. in the form of a signed 
permntation. 

The compntation of a maximal abstract valnation is achieved by an iter¬ 
ated greedy search: if w = Wo,Wi,... ,Wr = w' is the seqnence of compnted 
vectors then < IMioJ, * = l,...,r. The idea is the following. 

When = k then we know that all inpnt variables which were assigned 

a valne I with |/| < k are “don’t care”. The variable x^-ipk) is of type “care” 
(if we will map it to X and perform the compntation over K 3 the resnlt will 
be X). Bnt there may be other variables, with |Z| > k, which are 

“don’t care”. So, hrst we swap the absolnte valnes (bnt not the signs) as¬ 
signed to Xo-i(A:) and to a:o-i(n) and perform another simulation. Several new 
variables may now turn out to be “don’t care”, and we repeat the procedure 
of swapping, but now with n — 1 instead of n as the largest absolute value, 
and with the resulting i' >i instead of i. We keep iterating until the list of 
potential “don’t care” variables is exhausted. The result is then projected to 
K 3 , providing a maximal abstract valuation which is an abstraction of v. 
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Algorithm 1 Computation of a maximal abstract valuation 
Input: A combinational design (p(xi,..., a:„), a signed permutation w = 
(u,a) 

Output: An abstraction v' of v which is a maximal abstract valuation with 
respect to ip 
1 : i l]j n 
2: while i < j do 
3: i •(— ||</?]iu| 

4: w.a a[i -H- j] 

5: j ^ j - I 

6: end while 

7: v' ^ Pi{w) {v' is the (component-wise) image of v in Kg, where if \k\ < i 
then Pi{k) = X} 

8 : return v' 


Example 6.2. The computation shown in Fzg'. with input vector (—1, 3, —2,4)/ 
a = (l,3,2,4),u = (—1,1,—1,1). The result of the main output is 2, refer¬ 
ring to the value assigned to the input variable (here cr“^(2) = 3). In order 
to compute a maximal abstract valuation following Algorithm^ we swap the 
values 2 and 4 in a, obtaining the new input vector (—1, 3, —4, 2). The result 
of the new computation, as shown in Fig. is 3. The new values of the 
indexes in the algorithm are i = j = 3, and the condition of the “while” 
loop is not satisfied, so there are no more iterations. The maximal abstract 
valuation vector is (A, T, F, X). 



Figure 4: A new computation over M 

Proposition 6.1. Algorithm\^ computes a maximal abstract valuation of a 
combinational design p. 
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Proof. Because at each iteration we swap absolute values which are not 
smaller than the absolute value of the current output then the next output 
cannot decrease in absolute value. This means that the number of variables 
that will be mapped eventually to X does not decrease with each iteration. 
By the end of the algorithm we get = {(fjpiiw) = Piilpjw) = Pi{±i) 7 ^ X. 
Hence, v' is an abstraction of v. 

Each of the variables a:o--i(«), with I > i after the loop terminates, that 
is, a variable that is not mapped by pi to X (at line had at some point a 
value which was of the same absolute value as the output of p. Hence, if at 
that point xi were mapped to X then the output over K 3 of ip would have 
been also X, let alone at the end of the algorithm where possibly more X-s 
were added. This proves that v' is a maximal abstract valuation with respect 
to ip. □ 

Algorithm may be incorporated in a procedure for satishability of a 
Boolean expression by a SAT solver for the purpose of pruning the search 
tree by leaving the binary valuation to the variables corresponding to the 
binary part of the resulting ternary vector of the algorithm and ignoring the 
“don’t care” variables. It may also be worth trying to flip the sign of the 
variable whose value corresponds to the hnal result of the iterations part, to 
see if this variable is also a “don’t care” and then we can obtain a shorter 
implicant (which is not an implicant term), or the sign of the computation 
may then change, e.g. from — to + and then we found a satisfying valuation. 
Another application of Algorithm [T] is in equivalence verideation, as shown 
in Algorithm 

The number of iterations for Ending a maximal abstract valuation de¬ 
pends on the number and lensths of the implicant terms of p and -^p and 
also on the chosen permutation (which imposes an order on the variables). 
The computation can also be computed in K 3 instead of M, but with more 
iterations (in average), since the boundary between the “care” and “don’t 
care” at each iteration is not known in advance. But then, the same line of 
reasoning applies to the preference of K 3 over B 2 as the data structure for 
performing simulations. 

6.4 Equivalence Verification by Simulation 

In equivalence verification one tries to verify that two designs A and B are 
equivalent: for the same binary input vector they produce the same output. 
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In this section we will present a procedure for equivalence checking by M- 
simulations. 


Example 6.3. In Fig. irv (cal it spec) and Fig. ^c) (call it imp) we see 
two circuits which are identical except for a disjunction of the output of imp 
with some conjunctive term xi ■ ■ -Xn, which we assume to produce a wrong 
binary output. If there is a probability of pk for the output of spec to be 
less than —k when performing M-simulations of random signed permutation 
tests, then the probability of imp to distinguish itself from spec by producing a 
greater negative output value is p = Note that this probability 

may be significantly greater than the probability of the two circuits to produce 
outputs of different signs (which happens in the rare case of the conjunctive 
term evaluated to the value 1, the probability of which is l/2”j. 


In Algorithmic we describe a simulation procedure for checking the equiv¬ 
alence of two combinational circuits A and B. The procedure hrst obtains 
(as an output of an algorithm, could also be randomly) some binary vector 
V and checks whether the two circuits agree on it. If not, then a (binary) 
counter-example was found. Otherwise, the procedure obtains (again, as an 
output of an algorithm) a corresponding signed permutation w = (u, a) and 
by Algorithm IC two maximal abstract valuations va and vb are returned. If 
'^A 7^ then there is a valuations in M on which A and B do not agree. If 
we want to proceed manually, then we can examine the two designs on the 
valuation on which they do not agree and try to hnd the reason for that. 
The partition of the graph into a spanning forest may turn out to be of great 
help. If we want the procedure to be fully automatic, then we can continue 
with the algorithm and try all (subject to some limit) the relevant combina¬ 
tions of replacing X values by binary ones in va and vb and check for binary 
nonequivalence between the two circuits. If no binary counter example was 
found then the process repeats itself with another binary vector and another 
signed permutation. 

The idea behind the algorithm is the following. First we compute impli- 
cant terms (but not necessarily prime implicants) for a larger coverage of the 
search. Then, we look for binary nonequivalence in the environment of an 
M-nonequivalent. The latter is more common and hence can be more easily 
detected, see e.g. Example 6^ Finally, the existence of an M-nonequivalent 
hints to a possible binary nonequivalence. 
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Algorithm 2 Simulation procedure for nonequivalence 
Input: Two combinational designs A, B on inputs xi,... ,Xn 
Output: If found - a counter example to the equivalence of A and B 
1 : while true do 

2 : Obtain a vector v G {1,-1}” 

3: if A{y) 7 ^ B{y) then 

4: return v 

5: end if 

6 : Obtain a signed permutation w = {v,a) of size n 

7: Uyi ^ a maximal abstract valuation by Algorithm on A,w 

8: Us a maximal abstract valuation by Algorithm on B,w 

9: if va 7 ^ Vb then 

10 : if 3A; > 0 indexes i with us[i] ^ VA[i] = X then 

11 : for each of the 2 ^ binary combinations u of flipping the values of 


12 

13 

14 

15 

16 

17 

18 
19 


v[i] do 

if B{u) 7 ^ B{v) then 


return u 


end if 


end for 
end if 

Repeat the process on A for indexes i satisfying VA[i\ 7 ^ VB[i] = X 


end if 


end while 
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7 Verification of Sequential Circuits 


Sequential circuits contain memory elements which introduce cycles and time 
dependent properties, hence they are much harder to verify. However, at each 
cycle (time step), the behavior is similar to that of a combinational design, 
where the output as well as the memory variables are Boolean functions of 
the input and the memory variables. Thus, in some common model checking 
methods, like bounded model checking (see e.g. |^, (^, 21 , [^) the circuit 


is hnitely unrolled and then methods like SAT-based algorithms are applied 
to the resulting combinational design. Hence, the approach presented in the 
previous section applies also here. Yet, M-simulations can contribute to the 
verihcation of sequential circuits in ways which are unique to these types 
of circuits. One such way is achieved by augmenting the input values with 
temporal data. In what follows we hint briefly to the potential of performing 
M-simulations on sequential designs. 


7.1 Temporal Values 

One way we can beneht from using M instead of binary logic is by incorporat¬ 
ing time into the variable values. That is,an implicit global clock measures 
absolute time, and each new input value is assigned the time (date) of its 
“birth”. We may use the k least signihcant digits for the truth values (the 
truth part) and the other digits (the temporal part) for expressing the time 
of birth of that value. At each time step the temporal parts of all the values 
of the input variables are incremented by 1, while the truth parts may vary. 
For example, suppose we allocate the last 3 digits for the truth part and the 
other digits for the temporal part. Then the input values may look like this 
(for 6 input variables): 


Time 0: 

00 005 

-00 002 

-00 003 

-00 004 

00 001 

00 006 

Time 1: 

-01004 

-01005 

01002 

01001 

01006 

-01003 

Time 2: 

-02 006 

02 003 

02 002 

-02 005 

-02 004 

02 001 

Time 3: 

03 002 

-03 005 

03 001 

-03 003 

-03 006 

03 004 

Time 40: 

-40 006 

-40 005 

40 001 

40 002 

-40 004 

40 003 


Within this approach of an increasing sequence of temporal values we may 
still want to make sure that special control variables will obtain larger abso¬ 
lute values than those of the variables they interact with. 




The advantage of having temporal values is that the state of the circuit 
at a given time reflects directly its history: each value of a non-input variable 
bears its “age”, in addition to the truth degree and input variable it origi¬ 
nated at. We can then observe the flow of data in space-time; e.g. pick a 
specihc value at birth in some input variable, trace its evolution along time, 
until death at some time in future. Timing considerations in the design stage 
may also beneht from the information within temporal values. 


7.2 Initialization. 


In the setting of ternary logic, one starts from an “all-X” state and simulates 
with a sequence of binary input vectors until reaching a complete binary 
state, thus hnding a “universal” initialization sequence. When performing 
any simulation task over M with “time stamp” as above then at the same time 
we are also conducting an initialization test at the background. Moreover, 
at each time step k a new initialization test starts. Thus, if we are interested 
in the shortest initialization sequence, we can check at each time step I the 
lowest temporal part k that exists in the values of the variables of that state, 
which refers to an initialization sequence of length (I — k) + 2. Since the 
input values are incremented in absolute values at each time step, then, by 


Theorem 3.4, when reaching a state in which all temporal values smaller than 
k already vanished then this is equivalent to the disappearing of the X values 
in the ternary initialization. 


7.3 Prioritizing. 

To a certain extent, it is possible to manipulate the flow of data in the 
design. For example, the absolute value of the output of a XOR or XNOR 
gate equals the minimum of the absolute values of the inputs. Then, a 
prioritizing methodology may be applied to drive desired inputs toward the 
outputs by assigning them smaller absolute values so that they will propagate 
through these gates in a design full of them. Similar methods may be applied 
in order to increase the coverage of elements like signals, gates or latches in 
simulations by forcing the data to pass through these elements. Formal or 
semi-formal methods may also be applied here. Otherwise, we can measure 
the coverage performance of a simulation sequence in terms of the coverage 
of the graph representation by the trees that correspond to the values at the 
primary outputs. 
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7.4 Composition of Blocks. 

When a design is composed of several blocks then we may rnn M-simnlations 
in a way that reflects this higher order partition. For example, when there is 
little overlap between the inpnts of the blocks then the inpnt valnes may be 
gronped by absolnte values according to the blocks, possibly assigning higher 
absolute values to blocks that are of shorter distance to the primary outputs. 
In this way, we shift attention to the hierarchical structure of the design and 
to the interactions and dependencies between the blocks rather than to the 
more detailed structure inside the blocks. 

7.5 Equivalence Verification. 

The discussion and methods presented when considering combinational de¬ 
signs can be extended to sequential ones. As for comparing the qualities of 
the designs, we refer to for a somewhat related work. 

7.6 Generating Assertions. 

When trying to formally verify sequential circuits, whether for property or 
for equivalence checking, it is almost unavoidable but to try and break the 
problem into sub-problems to be verihed hrst. This incremental methodology 
requires the generation of potential assertions, also referred to as lemmas, 
and the more rehned MVL may be of help here. In equivalence verihcation 
we can hud correlations between variables, applying probabilistic methods 
if needed, in a more accurate manner over M since the spread of values is 
wider. The designer may also provide rehned assertions over M for assertion- 
based verihcation and simulation. For example, if the designer knows that 
some property should hold under an assumption that relies on specihc input 
values then the property may be checked with these input values being of 
higher absolute value than other input values, to make sure that the output 
does not depend in this case on other inputs. Assertions may also refer to 
the temporal values of the variables, conducting an explicit model checking 
over M. For example, properties may include exact absolute time and exact 
delays by referring to the temporal part of the clock variable, so that it 
becomes explicit and natural to express properties of Metric Temporal Logic 
(MTL) over Z. These ideas need to be further explored. 
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8 Conclusion 


Simulations over the multiple-valued logic M are more refined and informa¬ 
tive than over binary and ternary logics, thus providing a novel potential 
approach to the complex task of verification of HW designs. A state of the 
system is enriched with data that includes degrees of truth and, for sequen¬ 
tial designs, identity stamps like “place” and “date of birth”. We presented 
the theory behind computations and verification over M, and discussed gen¬ 
eral directions, including algorithms, for applying M-simulations to different 
verification tasks. Future goals include implementing and checking these 
ideas on real HW designs and developing specific and elaborate strategies 
and algorithms. 
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